OSS uses JSON-formatted authorization policies for fine-grained access control over resources. This topic provides a quick reference for the syntax and elements of authorization policies that you can use to configure complex permissions quickly and accurately.
Authorization syntax
OSS authorization policies use the JSON format. They include two core fields: Version and Statement.
Syntax structure
{
"Version": "1",
"Statement": [
{
"Effect": "Allow|Deny",
"Action": ["oss:ActionName"],
"Principal": ["UID|*"],
"Resource": ["acs:oss:*:*:bucket-name/*"],
"Condition": {
"ConditionOperator": {
"ConditionKey": ["Value"]
}
}
}
]
}Field descriptions
Field | Description | Required |
Version | The version of the access policy. The value is fixed to | Yes |
Statement | The main body of a policy statement. It contains one or more specific allow or deny rules. | Yes |
Statement elements
Element | Description | Required |
Effect | The effect of the policy. Valid values are | Yes |
Action | The specific operation to perform on a resource. You can use the wildcard character | Yes |
Principal | The entity that the policy affects, such as a user, an account, or a role. When this field is set to an empty list | Required for bucket policies |
Resource | The scope of resources that the policy affects. You can use the wildcard character | Yes |
Condition | The conditions for the policy to take effect. If you configure multiple conditions, all conditions must be met (an AND relationship) for the policy to take effect. | No |
Action
Actions are categorized into service-level, bucket-level, and object-level operations based on their scope.
Service level
API | Action | API description |
oss:ListBuckets | Lists all buckets that the requester owns. | |
oss:ListUserDataRedundancyTransition | Lists all storage redundancy transition tasks for the requester. | |
None | oss:ActivateProduct | Activates OSS and the Content Moderation service. |
None | oss:CreateOrder | Creates orders for OSS resource plans. |
oss:PutPublicAccessBlock | Enables Block Public Access for all of OSS. | |
oss:GetPublicAccessBlock | Retrieves the configuration information for the global Block Public Access setting. | |
oss:DeletePublicAccessBlock | Deletes the configuration information for the global Block Public Access setting. |
Bucket level
API | Action | API description |
oss:PutBucket | Creates a bucket. | |
oss:ListObjects | Lists information about all objects in a bucket. | |
oss:GetBucketInfo | Views information about a bucket. | |
oss:GetBucketLocation | Views the location information of a bucket. | |
oss:GetBucketStat | Gets the storage capacity and number of files in a bucket. | |
oss:PutBucketVersioning | Sets the versioning state for a specified bucket. | |
oss:GetBucketVersioning | Gets the versioning state of a specified bucket. | |
oss:ListObjectVersions | Lists version information for all objects in a bucket, including delete markers. | |
oss:PutBucketAcl | Sets or modifies the ACL of a bucket. | |
oss:GetBucketAcl | Gets the ACL of a bucket. | |
oss:DeleteBucket | Deletes a bucket. | |
oss:InitiateBucketWorm | Creates a retention policy. | |
oss:AbortBucketWorm | Deletes an unlocked retention policy. | |
oss:CompleteBucketWorm | Locks a retention policy. | |
oss:ExtendBucketWorm | Extends the retention period in days for objects in a bucket that has a locked retention policy. | |
oss:GetBucketWorm | Gets information about a retention policy. | |
oss:PutBucketLogging | Enables log storage for a bucket. | |
oss:PutObject | When you enable log storage for a source bucket, this action sets the source bucket logs to be written to another destination bucket. | |
oss:GetBucketLogging | Views the log storage configuration of a bucket. | |
oss:DeleteBucketLogging | Disables log storage for a bucket. | |
oss:PutBucketWebsite | Configures a bucket for static website hosting and sets its redirection rules (RoutingRule). | |
oss:GetBucketWebsite | Views the static website hosting status and redirection rules of a bucket. | |
oss:DeleteBucketWebsite | Disables static website hosting for a bucket and clears its redirection rules. | |
oss:PutBucketReferer | Configures hotlink protection for a bucket. | |
oss:GetBucketReferer | Views the hotlink protection (Referer) configuration of a bucket. | |
oss:PutBucketLifecycle | Sets a lifecycle rule for a bucket. | |
oss:GetBucketLifecycle | Views the lifecycle rule of a bucket. | |
oss:DeleteBucketLifecycle | Deletes the lifecycle rule of a bucket. | |
oss:PutBucketTransferAcceleration | Configures transfer acceleration for a bucket. | |
oss:GetBucketTransferAcceleration | Views the transfer acceleration configuration of a bucket. | |
oss:ListMultipartUploads | Lists all multipart upload events that are in progress. These are events that have been initiated but not yet completed or aborted. | |
oss:PutBucketCors | Sets the cross-origin resource sharing (CORS) rules for a specified bucket. | |
oss:GetBucketCors | Gets the current CORS rules for a specified bucket. | |
oss:DeleteBucketCors | Disables the CORS feature for a specified bucket and clears all rules. | |
oss:PutBucketPolicy | Sets the authorization policy for a specified bucket. | |
oss:GetBucketPolicy | Gets the authorization policy of a specified bucket. | |
oss:DeleteBucketPolicy | Deletes the authorization policy of a specified bucket. | |
oss:PutBucketTagging | Adds or modifies the tags of a specified bucket. | |
oss:GetBucketTagging | Gets the tags of a bucket. | |
oss:DeleteBucketTagging | Deletes the tags of a bucket. | |
oss:PutBucketEncryption | Configures the encryption rules for a bucket. | |
oss:GetBucketEncryption | Gets the encryption rules of a bucket. | |
oss:DeleteBucketEncryption | Deletes the encryption rules of a bucket. | |
oss:PutBucketRequestPayment | Configures the pay-by-requester mode. | |
oss:GetBucketRequestPayment | Gets the configuration information for the pay-by-requester mode. | |
oss:PutBucketReplication | Sets the data replication rules for a bucket. | |
oss:ReplicateGet | Sets cross-account data replication rules for a bucket or specifies a RAM role for replication. | |
oss:PutBucketRTC | Enables or disables replication time control (RTC) for an existing cross-region replication rule. | |
oss:GetBucketReplication | Gets the configured data replication rules for a bucket. | |
oss:DeleteBucketReplication | Stops data replication for a bucket and deletes its replication configuration. | |
oss:GetBucketReplicationLocation | Gets the regions where destination buckets for replication can be located. | |
oss:GetBucketReplicationProgress | Gets the data replication progress for a bucket. | |
oss:PutBucketInventory | Configures inventory rules for a bucket. | |
oss:GetBucketInventory | Views a specified inventory task in a bucket. | |
oss:GetBucketInventory | Gets all inventory tasks in a bucket in a batch operation. | |
oss:DeleteBucketInventory | Deletes a specified inventory task in a bucket. | |
oss:PutBucketAccessMonitor | Configures the access tracking status for a bucket. | |
oss:GetBucketAccessMonitor | Gets the access tracking status of a bucket. | |
oss:OpenMetaQuery | Enables the metadata management feature for a bucket. | |
oss:GetMetaQueryStatus | Gets the metadata index information for a bucket. | |
oss:DoMetaQuery | Queries for objects that meet specified conditions and lists object information based on specified fields and sorting methods. | |
oss:CloseMetaQuery | Disables the metadata management feature for a bucket. | |
oss:InitUserAntiDDosInfo | Creates an Anti-DDoS for OSS instance. | |
oss:UpdateUserAntiDDosInfo | Changes the status of an Anti-DDoS for OSS instance. | |
oss:GetUserAntiDDosInfo | Queries for information about Anti-DDoS for OSS instances under a specified account. | |
oss:InitBucketAntiDDosInfo | Initializes protection for a bucket. | |
oss:UpdateBucketAntiDDosInfo | Updates the protection status of a bucket. | |
oss:ListBucketAntiDDosInfo | Gets a list of protection information for a bucket. | |
oss:PutBucketResourceGroup | Sets the resource group to which a bucket belongs. | |
oss:GetBucketResourceGroup | Queries the ID of the resource group to which a bucket belongs. | |
oss:CreateCnameToken | Creates a CnameToken required for domain name ownership verification. | |
oss:GetCnameToken | Gets a created CnameToken. | |
oss:PutCname | Attaches a custom domain name to a bucket. | |
yundun-cert:DescribeSSLCertificatePrivateKey yundun-cert:DescribeSSLCertificatePublicKeyDetail yundun-cert:CreateSSLCertificate | Attaches a certificate when you attach a custom domain name to a bucket. | |
oss:ListCname | Gets a list of all custom domain names (Cnames) attached to a bucket. | |
oss:DeleteCname | Deletes a Cname that is attached to a bucket. | |
oss:PutStyle | Sets an image style. | |
oss:GetStyle | Gets an image style. | |
oss:ListStyle | Lists image styles. | |
oss:DeleteStyle | Deletes an image style. | |
oss:PutBucketArchiveDirectRead | Enables or disables real-time access of Archive objects for a bucket. | |
oss:GetBucketArchiveDirectRead | Checks whether real-time access of Archive objects is enabled for a bucket. | |
oss:CreateAccessPoint | Creates an access point. | |
oss:GetAccessPoint | Gets information about a single access point. | |
oss:DeleteAccessPoint | Deletes an access point. | |
oss:ListAccessPoints | Gets information about user-level and bucket-level access points. | |
oss:PutAccessPointPolicy | Configures an access point policy. | |
oss:GetAccessPointPolicy | Gets information about an access point policy. | |
oss:DeleteAccessPointPolicy | Deletes an access point policy. | |
oss:PutBucketHttpsConfig | Enables or disables TLS version settings for a bucket. | |
oss:GetBucketHttpsConfig | Views the TLS version settings for a bucket. | |
None | oss:ReplicateList | The list permission involved in the replication process. It lets OSS list the historical data of the source bucket and then replicate the historical data one by one. |
oss:CreateAccessPointForObjectProcess | Creates an object FC access point. | |
oss:GetAccessPointForObjectProcess | Gets basic information about an object FC access point. | |
oss:DeleteAccessPointForObjectProcess | Deletes an object FC access point. | |
oss:ListAccessPointsForObjectProcess | Gets information about user-level object FC access points. | |
oss:PutAccessPointConfigForObjectProcess | Modifies the configuration of an object FC access point. | |
oss:GetAccessPointConfigForObjectProcess | Gets the configuration information of an object FC access point. | |
oss:PutAccessPointPolicyForObjectProcess | Configures an access policy for an object FC access point. | |
oss:GetAccessPointPolicyForObjectProcess | Gets the access policy configuration of an object FC access point. | |
oss:DeleteAccessPointPolicyForObjectProcess | Deletes the access policy of an object FC access point. | |
oss:WriteGetObjectResponse | Customizes the returned data and response headers. | |
oss:CreateBucketDataRedundancyTransition | Creates a storage redundancy transition task. | |
oss:GetBucketDataRedundancyTransition | Gets a storage redundancy transition task. | |
oss:DeleteBucketDataRedundancyTransition | Deletes a storage redundancy transition task. | |
oss:ListBucketDataRedundancyTransition | Lists all storage redundancy transition tasks in a bucket. | |
oss:PutBucketPublicAccessBlock | Enables Block Public Access for a bucket. | |
oss:GetBucketPublicAccessBlock | Gets the Block Public Access configuration of a bucket. | |
oss:DeleteBucketPublicAccessBlock | Deletes the Block Public Access configuration of a bucket. | |
oss:PutAccessPointPublicAccessBlock | Enables Block Public Access for an access point. | |
oss:GetAccessPointPublicAccessBlock | Gets the Block Public Access configuration of an access point. | |
oss:DeleteAccessPointPublicAccessBlock | Deletes the Block Public Access configuration of an access point. | |
oss:GetBucketPolicyStatus | Checks whether the current bucket policy allows public access. | |
PutBucketOverwriteConfig | oss:PutBucketOverwriteConfig | Configures the disallow overwrite setting for a bucket. |
GetBucketOverwriteConfig | oss:GetBucketOverwriteConfig | Gets the disallow overwrite configuration of a bucket. |
DeleteBucketOverwriteConfig | oss:DeleteBucketOverwriteConfig | Deletes the disallow overwrite configuration of a bucket. |
Object level
API | Action | API description |
oss:PutObject | Uploads an object. | |
oss:PutObjectTagging | When you upload an object, use x-oss-tagging to specify the object tag. | |
kms:GenerateDataKey kms:Decrypt | When you upload an object, specify that the object metadata contains X-Oss-Server-Side-Encryption: KMS. | |
oss:PutObject | Uploads an object to a specified bucket using an HTML form. | |
oss:PutObject | Uploads an object by appending data. | |
oss:PutObjectTagging | When you upload an object by appending data, use x-oss-tagging to specify the object tag. | |
oss:PutObject | Initializes a multipart upload task. | |
oss:PutObjectTagging | When you initialize a multipart upload task, use x-oss-tagging to specify the object tag. | |
kms:GenerateDataKey kms:Decrypt | When you initialize a multipart upload task, specify that the object metadata contains X-Oss-Server-Side-Encryption: KMS. | |
oss:PutObject | Uploads data in parts based on the specified object name and uploadId. | |
oss:PutObject | After all data parts are uploaded, call this API to complete the multipart upload of the entire object. | |
oss:PutObjectTagging | After all data parts are uploaded, call this API to complete the multipart upload of the entire object and specify its tags. | |
oss:AbortMultipartUpload | Cancels a multipart upload event and deletes the corresponding part data. | |
oss:PutObject | Creates a symbolic link for a target object in OSS. | |
oss:PutObjectTagging | Creates a symbolic link with a specified object tag for a target object in OSS. | |
oss:GetObject | Gets an object. | |
kms:Decrypt | Downloads an object that is encrypted with a specified KMS key. | |
oss:GetObjectVersion | Downloads a specified version of an object. | |
oss:GetObject | Gets the metadata of an object. | |
oss:GetObject | Gets the metadata of an object, including its ETag, Size, and LastModified information. | |
oss:GetObject | Executes an SQL statement on a target object and returns the result. | |
oss:GetObject | Gets the symbolic link of a target object. | |
oss:DeleteObject | Deletes an object. | |
oss:DeleteObjectVersion | Deletes a specified version of an object. | |
oss:DeleteObject | Deletes multiple objects from the same bucket. | |
oss:GetObject oss:PutObject | Copies an object between buckets in the same region. The buckets can be the same or different. | |
oss:GetObjectVersion | Copies a specified version of an object between buckets in the same region. The buckets can be the same or different. | |
oss:GetObjectTagging oss:PutObjectTagging | Copies an object with specified tags between buckets in the same region. The buckets can be the same or different. | |
kms:GenerateDataKey kms:Decrypt | When you copy an object, specify that the metadata of the destination object contains X-Oss-Server-Side-Encryption: KMS. | |
oss:GetObjectVersionTagging | Copies a version of an object with specified tags between buckets in the same region. The buckets can be the same or different. | |
oss:GetObject oss:PutObject | Calls the UploadPartCopy API by adding the x-oss-copy-source request header to an UploadPart request. This copies data from an existing object to upload a part. | |
oss:GetObjectVersion | Calls the UploadPartCopy API by adding the x-oss-copy-source request header to an UploadPart request. This copies data from a specified version of an existing object to upload a part. | |
oss:ListParts | Lists all successfully uploaded parts that belong to a specified Upload ID. | |
oss:PutObjectAcl | Modifies the ACL of an object in a bucket. | |
oss:PutObjectVersionAcl | Modifies the ACL of a specified version of an object in a bucket. | |
oss:GetObjectAcl | Gets the ACL of an object in a bucket. | |
oss:GetObjectVersionAcl | Gets the ACL of a specified version of an object in a bucket. | |
oss:RestoreObject | Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class. | |
oss:RestoreObjectVersion | Restores a specified version of an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class. | |
oss:PutObjectTagging | Sets or updates the tagging information of an object. | |
oss:PutObjectVersionTagging | Sets or updates the tagging information of a specified version of an object. | |
oss:GetObjectTagging | Gets the tagging information of an object. | |
oss:GetObjectVersionTagging | Gets the tagging information of a specified version of an object. | |
oss:DeleteObjectTagging | Deletes the tagging information of a specified object. | |
oss:DeleteObjectVersionTagging | Deletes the tagging information of a specified version of an object. | |
oss:PutLiveChannel | Before you upload audio and video data over RTMP, you must call this API to create a LiveChannel. | |
oss:ListLiveChannel | Lists specified LiveChannels. | |
oss:DeleteLiveChannel | Deletes a specified LiveChannel. | |
oss:PutLiveChannelStatus | Switches the status between enabled and disabled. | |
oss:GetLiveChannel | Gets the configuration information of a specified LiveChannel. | |
oss:GetLiveChannelStat | Gets the stream ingest status of a specified LiveChannel. | |
oss:GetLiveChannelHistory | Gets the stream ingest records of a specified LiveChannel. | |
oss:PostVodPlaylist | Generates a playlist for video-on-demand for a specified LiveChannel. | |
oss:GetVodPlaylist | Views the playlist generated from stream ingest for a specified LiveChannel within a specified time period. | |
None | oss:PublishRtmpStream | Pushes audio and video data streams to RTMP. |
None | oss:ProcessImm | The permission to use IMM for data processing through OSS. |
oss:GetObject | The permission to use IMM for data processing through a POST request. | |
oss:PutObject | The permission to use IMM for Saveas data processing. | |
oss:PostProcessTask | Saves the processed image to a specified bucket. | |
imm:CreateOfficeConversionTask | The permission to use IMM for document conversion or snapshots. | |
imm: GenerateWebofficeToken | Used to obtain a Weboffice token. | |
imm:RefreshWebofficeToken | Used to refresh a Weboffice token. | |
None | oss:ReplicateGet | The read permission involved in the replication process. It lets OSS read data and metadata from the source and destination buckets, including objects, parts, and multipart uploads. |
None | oss:ReplicatePut | The write permission involved in the replication process. It lets OSS perform write operations related to replication on the destination bucket. These operations include writing objects, multipart uploads, parts, and symbolic links, and modifying metadata. |
None | oss:ReplicateDelete | The delete permission involved in the replication process. It lets OSS perform delete operations related to replication on the destination bucket. These operations include DeleteObject, AbortMultipartUpload, and DeleteMarker. Note You must grant this action to the RAM role only when you select Sync All for data replication. |
Resource pool QoS
API | Action | API description |
oss:PutBucketQoSInfo | Sets throttling for a bucket in a resource pool. | |
oss:GetBucketQoSInfo | Gets the throttling configuration for a bucket in a resource pool. | |
oss:DeleteBucketQoSInfo | Deletes the throttling configuration for a specified bucket in a resource pool. | |
oss:PutBucketRequesterQoSInfo | Sets bucket-level throttling for a requester. | |
oss:GetBucketRequesterQoSInfo | Gets the bucket-level throttling configuration for a specified requester. | |
oss:ListBucketRequesterQoSInfo | Gets the bucket-level throttling configurations for all requesters. | |
oss:DeleteBucketRequesterQoSInfo | Deletes the throttling configuration for a requester of a bucket. | |
oss:ListResourcePools | Gets information about all resource pools under the current account. | |
oss:GetResourcePoolInfo | Gets the throttling configuration of a specified resource pool. | |
oss:ListResourcePoolBuckets | Gets the list of buckets included in a specified resource pool. | |
oss:PutResourcePoolRequesterQoSInfo | Configures throttling for a requester of a resource pool. | |
oss:GetResourcePoolRequesterQoSInfo | Gets the throttling configuration for a specified requester in a resource pool. | |
oss:ListResourcePoolRequesterQoSInfos | Gets the throttling configurations for all requesters in a resource pool. | |
oss:DeleteResourcePoolRequesterQoSInfo | Deletes the throttling configuration for a specified requester in a resource pool. |
Vector bucket
API | Action | API description |
oss:PutVectorBucket | Creates a vector bucket. | |
oss:GetVectorBucket | Gets the details of a vector bucket. | |
oss:ListVectorBuckets | Lists all vector buckets that the requester owns. | |
oss:DeleteVectorBucket | Deletes a vector bucket. | |
oss:PutBucketLogging | Enables log storage for a vector bucket. | |
oss:PutObject | When you enable log storage for a source vector bucket, this action sets the source vector bucket logs to be written to another destination bucket. | |
oss:GetBucketLogging | Views the log storage configuration of a vector bucket. | |
oss:DeleteBucketLogging | Disables log storage for a vector bucket. | |
oss:PutBucketPolicy | Sets the authorization policy for a specified vector bucket. | |
oss:GetBucketPolicy | Gets the authorization policy of a specified vector bucket. | |
oss:DeleteBucketPolicy | Deletes the authorization policy of a specified vector bucket. | |
oss:PutVectorIndex | Creates a vector index. | |
oss:GetVectorIndex | Gets the details of a vector index. | |
oss:ListVectorIndexes | Lists all vector indexes in a vector bucket. | |
oss:DeleteVectorIndex | Deletes a vector index. | |
oss:PutVectors | Writes vector data. | |
oss:GetVectors | Gets specified vector data. | |
oss:ListVectors | Lists all vector data in a vector index. | |
oss:QueryVectors | Performs a vector similarity search. | |
oss:DeleteVectors | Deletes specified vector data from a vector index. |
Resource
The Resource element specifies one or more resources. You can use the asterisk (*) as a wildcard character. A single bucket policy can include multiple resources.
Bucket
Category | Format | Example |
Bucket level |
|
|
Object level |
|
|
Resource pool level |
|
|
Vector bucket
Resource level | Format | Example |
All vector resources |
|
|
Vector bucket |
|
|
Vector index |
|
|
Vector data |
|
|
The region field currently supports only the wildcard asterisk (*).
Condition
The Condition element specifies the conditions under which a policy takes effect. It consists of a condition operator, a condition key, and a condition value.
Condition operators
Condition operator type | Supported types |
String |
|
Number |
|
Date and time |
|
Boolean | Bool |
IP Address Type |
|
Condition keys
Condition key | Description |
acs:SourceIp | Specifies a standard IP CIDR block. The asterisk ( |
acs:SourceVpc | Specifies the VPC. The value can be a specific VPC ID or Note When you use |
acs:UserAgent | Specifies the HTTP User-Agent header. Type: string. |
acs:CurrentTime | The time when the request arrives at the OSS server. Format: ISO 8601. |
acs:SecureTransport | The protocol type of the request. Valid values:
If |
oss:x-oss-acl | Restricts the type of bucket ACL. Valid values:
For more information, see Bucket ACL. |
oss:x-oss-object-acl | Restricts the type of object ACL. Valid values:
For more information, see Object ACL. |
oss:Prefix | Used in a ListObjects request to list objects with a specified prefix. |
oss:Delimiter | Used in a ListObjects request as the character to group object names. |
acs:AccessId | The AccessId included in the request. |
oss:BucketTag | A bucket tag. A single BucketTag can be used as a Condition. When you set multiple BucketTags, you must add the |
acs:MFAPresent | Specifies whether multi-factor authentication (MFA) is enabled. Values:
|
oss:ExistingObjectTag | The requested object is already tagged. A single ObjectTag can be used as a condition. When you use multiple ObjectTags, you must add This applies mainly to APIs for reading files, such as |
oss:RequestObjectTag | The object tags included in the request. A single object tag can be used as a condition. When multiple object tags are specified, you must add This mainly applies to API operations for writing files, such as |